Vast Ai

What to consider before installing/use: 1) The skill legitimately targets VAST.ai and only needs your VAST API key to operate, which is proportional. 2) The package metadata omits the required VAST_API_KEY — the SKILL.md and code do require it; treat that omission as a red flag and ask the author to correct the metadata. 3) SKILL.md references an absolute developer path (/Users/sschepis/Development/...) and assumes a built dist/cli.js exists; the repo only contains TypeScript sources. You will need to run npm install and build (npx tsc) before the CLI will work — building/installation runs third-party code, so review compiled JS before executing and consider running in an isolated environment. 4) Before providing your VAST API key, verify the network endpoints in the code (baseUrl is console.vast.ai/api/v0) and ensure there are no hidden/external endpoints; this code appears to use only axios to the VAST API. 5) Because the skill can perform write actions (rent, destroy), only supply a key with least privilege (if VAST supports restricted keys) or use an account with limited funds. 6) Ask the publisher to: (a) declare VAST_API_KEY in the skill metadata, (b) remove absolute local paths from SKILL.md and use relative or packaged dist paths, and (c) include built artifacts or an install script so the agent/runtime behaviour is reproducible. If you cannot verify these fixes, run the code in an ephemeral VM/container and avoid giving your production VAST API key.